The concepts of risk, information management, cybersecurity, 3rd party due diligence, and vendor management are nothing new for the Alternative Investment industry.

One of the investment industry’s leading software technology companies, Backstop Solutions, brought these topics center stage during their user conference in Chicago, IL.

Backstop is the creator of one of the most widely used tools in the Alternative Investment space.

Expert Panel Discussion

CIT’s Lawrence Cruciana addressed the conference on the topic of the CyberSecurity landscape in the Alternative Investment space. He was joined by Backstop’s VP of information security, Michael Newman, and representatives from ACA/Aponix and SecureWorks.

The panel addressed many relevant topics, including the shift of attackers from larger targets to smaller organizations, especially smaller banking and financial services organizations.

Heavily discussed was the shift of regulatory oversight by the SEC as Rule S-P begins to be enforced, as were the changing demands of the due diligence process (including the rapidly shifting expectations of firms to quantify the Information Security and privacy controls that their vendors and external asset managers employ). The entire information ecosystem of a subject firm, including their vendors and privacy controls, now must be incorporated into Third Party / Operational Due Diligence (3PDD/ODD) processes.

These topics were brought into an even more applied form when famed security researcher Chris Roberts joined the panel for a discussion focusing specifically on ODD. Roberts’ unique perspective brought this very salient topic to the forefront as one of the most critical issues facing both the alternative and traditional investment industries.

The overall security and custodianship of information continues to be a focus of cybersecurity efforts in the investment space.

As we’ve shared previously, the shift from technical safeguards to those which cross human-systems continues.

The Importance of IT Security for Software Users

For many attendees, the most remarkable take away from this conference wasn’t the excitement surrounding new tools within Backstop’s software, or the candid platform for discussion of relevant topics in the Alternative space, or even the impressive line-up of InfoSec talent that was present… though, it was really impressive.

Rather, it was that a software company dedicated a substantial portion of their user conference to discuss cybersecurity in an industry that has historically focused such conversation only to “IT” or “Security” events.

Backstop’s Michael Neuman and their entire executive cadre has brought needed visibility and conversation to a broad base of investment professionals.

Cybersecurity responsibility and awareness isn’t limited to IT any longer. It impacts every individual within an organization.

Investment and other financial-services firms are especially vulnerable to human-vectored cyber-attack due simply to the nature of the industry.

More software companies in this space should take a lead from Backstop and include “Cyber” in their broad-audience conversations.

Thank you Backstop for taking such a proactive approach to Cybersecurity!

Conference Takeaway: The Risks of Technology Growth that Affect Everyone

To balance the nearly limitless possibility and opportunity brought by this brave new world is a risk.

Risk mitigation, avoidance, and management have long been central to the financial industry.

With increasing oversight and regulation, firms face more numerous and onerous regulations dictating how acceptable risk is defined.

In recent years, it is not difficult to understand why – a long list of potential perils that now including insider and cyber-based threats.

By its very nature, the digitization of the industry and therefore the information underpinning it is borderless, fast moving, and intended to extend the reach far beyond the four walls of any firm.

These same attributes bring risks never before present in the industry.

Small Businesses are at Risk

The traditionally paper-and-person way of doing business is being rendered seemingly obsolete and antiquated as borderless digital services make what was once a financial services fantasy an attainable reality.

The industry has been left trying to reconcile many post-depression-era safeguards with a 21st-century workflow and customer base.

IBM/Ponemon reported that in a 2015-2016 study of over 1,300 financial firms which were victims of a cyber attack or data breach, on average a single compromised record cost these organizations $257.

Most firms have thousands to tens-of-thousands of records. When the financial penalties that can come regulatory bodies from a reportable cybersecurity incident are factored into this equation, the direct financial costs of such an incident become daunting.

Often missed from the impact analysis of a security incident are the soft cost of client trust and firm reputation.

The net result is highly unfavorable from whatever the vantage point.

Firms must recognize and learn how these risks can be effectively mitigated to allow the amazing potential and empowerment of a borderless and hyper-connected financial services industry.

Adopting a few simple guidelines can provide tremendous value and protection to the information firms rely so heavily upon.

Given the overwhelming sea of cyber-based threats and the daunting downside concequences of a data breach, the first suggestion that we would offer to private investors, fund managers, and firm executives is to understand the landscape and vernacular.

Caught in the mire of cybersecurity risk, regulation, and mitigation this may seem like an unrealistic objective. However, applying basic risk management and mitigation techniques to cyber issues is step one.

To accomplish this, we advocate the following steps to begin to quantify and control information-centric cyber-risk.

Mitigating Your Risk

1. Adopt a framework.

These cybersecurity frameworks are both derived from the extensive research and practice of the U.S. Government as published by the National Institute of Standards and Technology (NIST) 800 series of guidelines. Why use a framework? Simple. These frameworks provide a common language for executives, technologists, auditors/examiners, and consultants to communicate with each other. They establish common and pragmatic goals that are largely divorced from the increasing sophistication of industry jargon and the attack-du-jour.

2. Understand the firm’s information assets.

Once a framework is chosen for the firm, the next step is to establish understanding what information is being stored, accessed, or generated and where that information resides.

Categorize the information into large category-wide silos based on its C-I-A; Confidentiality, Integrity, and Accessibility needs.

These silos often transcend organizational units, departments, and even business units.

This process, considered strategic information asset categorization and classification, allows for appropriate protection of these assets.

3. Identify appropriate protective methodologies.

Armed with the location, nature, and CIA of the firm’s information, prioritize the silos with information that is sensitive or regulated in nature.

Special attention should be given to silos, which contain Personally Identifiable Information (PII).

With silos defined, define a data protection plan, which enumerates how to best and most appropriately protect that information.

It is important to note that “how to best protect” information must transcend office walls and corporate headquarters.

The technical, physical, administrative, and associative protection modalities of such methodologies must be considered.

To emphasize the borderless nature of information, every point from which information can be accessed must be taken into account when formulating a data protection plan.

4. Validate and document information security controls.

Securing the information assets and validating those security controls completes the process.

A commonly overlooked first step is to document the firm’s information assets and the protective methodologies associated with each asset.

Once completed, validate the information security controls using an established methodology.

This practice may come in the form of an information security assessment or a review by a qualified security assessor.

Regardless of how an assessment is conducted, utilizing the firm’s established security framework permits a common, consistent, and repeatable assessment process.

Special consideration must be given to the nature of the assessments above; both engagements differ from a “Penetration Test”.

Penetration tests are complex and multifaceted technical engagements, which evaluate an external adversary’s ability to gain access to an organization, move throughout that organization while avoiding detection, and to access sensitive information.

Simply, these tests are the culmination and validation of security efforts across an organization.

This undertaking would be akin to requesting Special Forces soldiers to test their ability to gain access to a home. Clearly, the locks on the doors would be no match for high explosives and a trained breach team.

Many firms waste precious time and resources engaging in such penetration exercises when even the most basic security controls have yet to be implemented.

Conclusion

Notice, the lack of acronyms or buzzwords. That is intentional. Buzzwords will change, technology will change; However, the nature of a financial services firm will not fundamentally change.

Firms large and small exist to deliver value to their clients, investors, partners, and shareholders.

The modality of value delivery will most certainly change but not the fundamental mission and purpose of the industry.

]]>What You Need to Know about KRACK Attackshttps://www.corp-infotech.com/krack-vulnerability/
Wed, 18 Oct 2017 11:00:42 +0000https://www.corp-infotech.com/?p=12488Taking a deeper look at the KRACK Wireless Vulnerability Background In May of 2017, security researcher Mathy Vanhoef published a technical paper outlining a potentially catastrophic vulnerability within an encryption protocol used within Wireless Computer Networks. This vulnerability has taken the “protected” out of Wi-Fi Protected Access II (WPA2) Wireless Networks. Those networks, both corporate…

Background

In May of 2017, security researcher Mathy Vanhoef published a technical paper outlining a potentially catastrophic vulnerability within an encryption protocol used within Wireless Computer Networks. This vulnerability has taken the “protected” out of Wi-Fi Protected Access II (WPA2) Wireless Networks.

Those networks, both corporate and residential, are likely not as safe as you once thought.

The Key Reinitalization Attack, or “KRACK”, exploits a vulnerability in the encryption handshake of the WPA2 protocol, in which an attacker within range of a victim Access Point or Client can exploit these weaknesses.

Attackers can use a KRACK to read information that was previously assumed to be safely encrypted within the wireless data transmission itself. This can be used to steal sensitive information such as credit card numbers, passwords, emails, etc.

It also is possible to inject data into a Wireless network connection.

Misconceptions in the Popular Media

Although the popular media has shared and re-shared this story, there are several key points that are being mis-reported that should be clarified.

First, this attack has been demonstrated and validated by several third-party security researchers.

While the attack is sophisticated (as far as wireless network attacks go), it has found its way into open-source (free) penetration testing tools. This means that both the good guys and bad guys have equal access to the tools needed to easily carry out this attack.

Next, this attack is effective against all modern WiFi networking equipment.

There are several vendors that have reported that they are not vulnerable to the attack, but they have yet to submit any testing and validation of their immunity to the InfoSec community at large (at the time of this publication).

The remainder of vendors on the ‘Not Vulnerable’ list simply don’t make Wireless Networking equipment – like VMWare.

Finally, the attack does not permit the take-over or take-down of affected Wireless Access Points or Wireless Network Controllers directly.

While it is absolutely possible to launch a secondary attack against these devices using a KRACK as an initial attack vector, KRACK itself does not provide unfettered access to all wireless equipment.

Remediation

Put simply, Wireless Network Equipment manufacturers and Operating System manufacturers must both patch their products.

This vulnerability, while very significant in scale, is not unlike other wide-spread vulnerabilities. Mitigation and remediation of the vulnerability will be provided through a software update from each respective manufacturer.

It is currently considered best practice that both wireless clients (workstations / computers) and network equipment (Access Points / Wireless Controllers) be patched.

Patching a client or Access Point does not mitigate the vulnerability – both must be patched.

Networks which are specifically vulnerable are those utilizing WPA2-TKIP or GCMP encryption protocols.

Most commercial Wireless Networking equipment manufacturers have released patches for this vulnerability. Microsoft has released a patch for Desktop Operating Systems: Windows 7, 8, 8.1, and 10, as well as Server Operating Systems: Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016. These patches were released between 10/10/17 and 10/16/17.

Mitigation

For Non-Admins

For those who are not Wireless Network or Windows Systems administrators, here are a few ways you can protect yourself from this attack.

Keep in mind that most attacks are opportunistic in nature – large public gathering spaces, coffee shops, and other areas which would provide an attacker a significant number of potential victims are more likely to be targeted.

Avoid public Wi-Fi at all costs. This includes Google’s protected Wi-Fi hotspots until Google says otherwise.

While on any Wireless network, only connect to secured websites – those that use HTTPS or another secure connection will include HTTPS in the URL. You should contact any company whose services you use and ask if the connection is secured using TLS 1.2, and if so your connection with that service is safe for now.

If you have a corporate or paid personal VPN service that you trust you should enable the connection full-time on all wireless networks until further notice.

Use a wired network if your router and computer both have a spot to plug in an Ethernet cable. This exploit only affects 802.11 traffic between a Wi-Fi router and a connected device.

Apply Operating System patches to all relevant devices including mobile phones. Use this list to locate the manufacturer of your device to learn how to go about receiving the applicable patch.

Apply patches to all Wireless Networking equipment that you own or manage. The above list can also be used to locate the appropriate source for updates to your equipment.

WiFi is everywhere! Many devices, like medical implants and health monitors, may be very difficult to update. Regardless, they are still vulnerable to this attack. Locate those which transact sensitive information and take action to update them.

Take this seriously. While there are many acronyms being used in the conversation about this vulnerability, ignorance does not diminish your risk. Take action and update your devices. If you don’t know how to, Contact Us or another trusted computer professional.

For Admins

For Network and Windows Systems Administrators, there are several steps that you can take to mitigate the impact of this vulnerability within your environment.

Communicate the risk and actions that your organization is going to take in response to the KRACK vulnerability. Keep your user-base informed that you are aware and are taking action.

Identify every 802.11 Wireless device within your organization. That may include VoIP phones, printers, copiers, laptops, tablets, etc. WiFi is everywhere. Each one of these devices will require an update to mitigate its exposure to this vulnerability.

Familiarize yourself with the underlying MITRE CVEs which have resulted from this vulnerability. Many manufacturers are remediating their exposure to some but not all KRACK exploits. Further, these vendors may release subsequent patch(es) to fully remediate the full-set of KRACK CVEs. Track what vendor is patching what CVE(s) as patches are deployed.

Stay vigilant and abreast of the developments with this vulnerability. US-CERT (link below) is the best source of information relating to the developments surrounding KRACK, also known as VU#228519.

]]>Is My Copier Spying on Me?https://www.corp-infotech.com/is-my-copier-spying-on-me/
Thu, 16 Mar 2017 11:00:02 +0000https://www.corp-infotech.com/?p=9488Vulnerabilities in IoT As the phrase “Internet of Things” or IoT enters our cultural vernacular, many wonder what this new term means. The Internet of Things Simply put, IoT is the term given to connecting non-traditional devices to a computer network – most notably the Internet. Businesses have been connecting “things” to the network for…

As the phrase “Internet of Things” or IoT enters our cultural vernacular, many wonder what this new term means.

The Internet of Things

Simply put, IoT is the term given to connecting non-traditional devices to a computer network – most notably the Internet. Businesses have been connecting “things” to the network for a long time. Copiers, CCTV cameras, and even the occasional coffee machine are longtime residents of the Local Area Network.

As the integration of other devices and sensors propagates in many industries, it will become more common for bridges and roads, medical devices, body area networks (think FitBit), and even vehicles to join in the network. The benefits and possibilities of this new connectedness are virtually limitless, but as Information Security practitioners we ask the question, “How do you secure such devices from eavesdropping and malicious actors?”

Big Technology’s Growing Pains

In October, the Internet witnessed a massive Denial of Service attack – the largest in history – waged against Internet DNS and infrastructure giant Dyn. This attack took many major websites offline including Netflix, PayPal, Reddit, and Twitter. The attack also impacted or impaired many cloud services, including Amazon AWS.

After the dust settled, the tool used to perpetrate the attack was found to be a small, unsophisticated network worm named Mirai. That’s right, a worm. It was not too far from the technology that impacted MS-DOS and Windows 3.1-era computers. This attack demonstrated the immature secure posture of many of the IoT devices that now number in the hundreds of millions.

It has — rightfully so — raised serious concerns from both the FCC andcongress.

Virginia Senator Mark Warner called the widespread use of insecure IoT devices “a threat to the resiliency of the Internet” in a letter to the FCC. Senator Warner’s letter goes on to state, “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none.”

Whose responsibility is it?

Is it truly nobody’s responsibility to ensure the security of the devices that are connected to a network? In this age of hyper-connectedness and connected critical infrastructure, it is every business’ responsibility to secure and properly protect its digital assets. That extends to and includes IoT device manufacturers to maintain the responsibility to update and adequately equip their devices to be compatible with modern security protocols. If businesses demand improved accountability externally they should be willing to take the steps necessary to secure their assets internally.

Vulnerabilities exist far and wide within the IoT space. Taking reasonable controls to secure external access to these devices goes a long way to safeguard their use within critical applications. Simple steps such as requiring IoT application administrators to change default passwords and ensuring that, where applicable and able, IoT systems operate on separate network subnets that are only accessible through carefully configured gateways can dramatically reduce the scale and scope of IoT exploitation.

IoT is an exciting frontier of technology. The applications for sensing, control, and interactivity are virtually limitless. Incorporating tried-and-true security mechanisms and protocols from traditional IT into IoT can deliver a more successful and secure application.

CIT is an expert in Industrial Control Systems (ICS) and IoT security. We’ve worked to secure mission critical Ethernet-connected IoT applications using mDNS, QUIC, Aeron, uIP, TSMP, XMPP, ISA10.11a, 802.15.4, NFC, AND, OTrP, AMQP, IoTivity, RPM, and LPWAN. In the Industrial Control arena, we’ve worked with ICS systems and protocols from Allen Bradley to BacNet to SCADA to ModBus and delivered secure solutions to clients in power, utility, water, textiles, and defense industries.

]]>Remember . . . Always Practice Safe BYODhttps://www.corp-infotech.com/remember-always-practice-safe-byod/
Fri, 13 Jan 2017 06:11:19 +0000https://www.corp-infotech.com/?p=8985Bring Your Own Device (BYOD) Into Your Business No matter what blog or magazine read these days, it seems like everyone is talking about today’s increasingly mobile workforce and the BYOD (Bring-Your-Own-Device) movement. We live in an exciting time when work can be done at any time from any place. Employees love the fact that…

No matter what blog or magazine read these days, it seems like everyone is talking about today’s increasingly mobile workforce and the BYOD (Bring-Your-Own-Device) movement.

We live in an exciting time when work can be done at any time from any place. Employees love the fact that they can get work done on their iPad as they sit poolside sipping a Pina Colada. Businesses love the cost savings along with the happier and more productive employees they’re noticing. Meanwhile, customers and clients take note that their emails are commonly answered outside traditional work hours with a “Sent from my iPhone” tagline at the bottom.

Like anything related to business technology, there are naysayers who are quick to warn that a more mobile and dispersed workforce also means increased security risks.

Do they have a point?

It turns out there are some very legitimate concerns but nothing that can’t be minimized, if not altogether eradicated, with the practice of safe BYOD.

Here are a few suggestions

Create a Mobile Device Security Policy:

A comprehensive mobile security policy is critical. This policy must cover everything from the type of devices allowed to how and where data and files are edited, saved, and shared. Combining this policy with a sound mobile strategy is your best bet to integrate BYOD into your workplace with minimal consequences.

Enforce This Policy:

It’s good to take the time to prepare a document that outlines policy, but don’t stop there. Be sure to enforce this policy. This is especially important for small-to-midsize businesses, particularly startups that are sometimes guilty of being too laid back despite all the caffeine consumed at their in-office coffee bars. Make the following words your mantra when it comes to enforcing this policy. No Exceptions. Ever. Seriously, 41% of small businesses have a BYOD policy in place but 25% make exceptions to their own rules.

Train Employees:

A BYOD plan has no chance of succeeding unless it is properly communicated to users. It’s important that each employee recognize his or her responsibilities and the repercussions of failing to follow security rules. The best defense against cybercrime will always be a knowledgeable and conscientious employee.

BYOD can give any organization, big or small, a competitive advantage. Harness the power of BYOD by planning ahead and sticking to your plan.

]]>What is Hyper-convergence?https://www.corp-infotech.com/what-is-hyper-convergence/
Tue, 10 Jan 2017 07:00:35 +0000https://www.corp-infotech.com/?p=8975What is Hyper-Convergence? It seems like a new buzzword or acronym is developed in the IT industry daily. As a small business, it can be difficult to cut through the noise and identify what technology is the right fit for you. Most recently, the term “hyper-convergence,” or hyper-scale computing, has made its debut. This…

It seems like a new buzzword or acronym is developed in the IT industry daily. As a small business, it can be difficult to cut through the noise and identify what technology is the right fit for you.

Most recently, the term “hyper-convergence,” or hyper-scale computing, has made its debut. This technology offers some very real and very exciting benefits.

This post intends to provide smaller organizations with information on how to use a data-driven approach to decide if this technology is right for them, as well as how it differs from existing virtualized infrastructure.

Hyper-Convergence Explained

Largely gone are the days of physical server-to-application pairing.

Today, most workloads are delivered by virtual servers that reside within a virtual data center. These virtual data centers are, by and large, provisioned as a private cloud, meaning that each organization owns (or directly controls) the hardware that provides the compute, network, and storage resources it needs.

This architecture is commonly referred to as a 3-tier architecture – Compute, Storage, Network.

The explosion of virtualized server workloads — such as databases, network services, collaboration applications, and unified communications — has given rise to the need for a more intelligent approach to infrastructure management. With hundreds of virtualized applications running in a typical datacenter, IT infrastructure requires alignment with the virtualization stack.

Traditional 3-tier architectures result in inefficiencies in provisioning, silos between IT and business units, and inability to scale globally as business continues to grow.

Hyperconvergence exists in order to solve many of these inefficiencies by leveraging technology that was originally developed for web-scale companies such as Amazon and Google. Hyperconverged systems offer an integrated system that combines compute and storage resources into a 100% software-defined solution. This is typically deployed in an appliance model: as an organization needs additional computer and/or storage resources, the virtual data center can be linearly scaled by simply adding an additional appliance.

These appliances integrate leading software-deployed features that are found in large enterprises — such as intelligent data tiering, high-performance flash storage, and dense hard disk drives — for high performance and low latencies across a large storage capacity. Such features are typically universal across every appliance and every data center, resulting in a uniform parity of features.

In most smaller organizations this is demonstrated through a uniform set of features available at all levels and functions of the virtual data center. One such example would be the ability to have the same features among production, development, and disaster recovery virtual data centers. In addition to providing a parity of features across an entire enterprise, these appliances typically offer management of all functions in all data centers from a single pane of glass. For distributed organizations with multiple data centers, or even smaller organizations with distributed IT resources across offices, this can be a huge time saver!

As the “software-defined” name implies, most hyperconverged platforms are self-healing and can be easily upgraded through a process that commonly doesn’t involve hardware changes. These features eliminate the operational complexity that is typical of server virtualization environments with 3-tier infrastructure, as well as the associated siloed feature management and upgrade lifecycle of these systems.

With such an ease of management, parity of features, and ultra-simple upgradeability, why would an organization not move to a hyperconverged platform? The answer is in the workload.

Workload analysis and establishing the ‘right fit’

Hyperconverged systems offer scale-out simplicity and in many workloads can provide an organization with a reduction in the Total Cost of Ownership (TCO) of a virtual data center. There are several workloads that specifically lend themselves to a hyperconverged infrastructure. These include:
Virtual Desktop Infrastructure – a large number of relatively small virtual machines that require scale-out capabilities (possibly even of an automated nature) but a relatively small storage footprint.
Web-server or application-server farms – compute-dense servers that require advanced storage features and high-uptime.
Highly dispersed applications – applications that utilize multiple tiers of data processing, analytics, and/or database storage.
This list is by no means exhaustive, but is typical of highly successful deployments of hyperconverged infrastructure.

The inverse of this argument comes with workloads that are specifically not well suited for a hyperconverged environment. These include:
Large volume file storage – DFS, AFS, or Cell-based storage arrays
Highly transactional large RDBMS
Highly compute-intensive, fault-tolerant, thread-context aware applications
These workloads often demonstrate poor performance or are disproportionately expensive to deploy on a hyperconverged virtual data center.

The take away

Properly architecting a fully or partially hyperconverged virtual data center requires a comprehensive understanding of the ultimate workloads intended to run within the environment. Integrating existing storage, compute, and network into the ultimate solution can drive down costs and improve adoption, given the right mix of available (existing) technologies.

It’s easy to “rip-and-replace” existing infrastructure, although this is often not the most cost effective or most optimal method to deploy a new hyperconverged infrastructure. Rather, integration and distribution of workloads across existing underlying virtual infrastructure often provides for the most optimal deployment methodology for a new hyperconverged platform. This platform can then deliver the maximum amount of return – of both investment and native management efficiencies – through the optimal placement of workloads. The benefits and cost-advantages of a hyperconverged data center can quickly be leveraged and realized when this method is employed. Long-term continued realization of these benefits can be largely dependent on planning and workload deployment modeling during the Proof of Concept phase of the project.

Planning really is that important! Don’t go it alone! Involve a partner that has navigated such a project and can take the time to understand the intricacies of your specific business use case and environment.

New types of malware pop up every day. Let us show you how good I.T. can be!Contact Us

]]>The Next Generation – Wearable Techhttps://www.corp-infotech.com/the-next-generation-wearable-tech/
Thu, 03 Apr 2014 12:32:56 +0000https://www.corp-infotech.com/?p=4312It seems that technology has taken over nearly every part of our lives. It’s in our homes, cars, offices, and even bathrooms. Wearable tech and the “Internet of things” may mean smart thermostats can turn Nest into a multi-billion-dollar company that no one had heard of before and perhaps pave the way for Google House,…

]]>It seems that technology has taken over nearly every part of our lives. It’s in our homes, cars, offices, and even bathrooms. Wearable tech and the “Internet of things” may mean smart thermostats can turn Nest into a multi-billion-dollar company that no one had heard of before and perhaps pave the way for Google House, but in terms of hardware (hardwear?) the Moto360 is one of the first pieces of wearable tech that is designed and intended for integration into our every move. It has the promise of controlling an entire universe of other network-attached gadgets. While the “Internet of Things” is most certainly here, will this (and other similar devices) be our gateway to this other world of interconnectedness?

]]>The Situation – Microsoft Windows XP – Part 2https://www.corp-infotech.com/the-situation-microsoft-windows-xp-part-2/
Tue, 11 Mar 2014 15:45:00 +0000https://www.corp-infotech.com/?p=4286Updates: Will Microsoft Security Essentials be supported after April 8, 2014? Microsoft Security Essentials will not be available for download on Windows XP after April 8, 2014. If you already have Microsoft Security Essentials installed, you will continue to receive anti-malware signature updates through July 14, 2015. However, please note that PCs running Windows XP…

Will Microsoft Security Essentials be supported after April 8, 2014?

Microsoft Security Essentials will not be available for download on Windows XP after April 8, 2014. If you already have Microsoft Security Essentials installed, you will continue to receive anti-malware signature updates through July 14, 2015. However, please note that PCs running Windows XP after April 8, 2014 should not be considered protected.

Which machines will receive the Windows XP End of Support notification?

The notification will be sent to users of Windows XP Home and Windows XP Professional who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration Manager, or Windows Intune will not receive the Windows XP end of support notification.

After more than a decade on the market, Windows XP is finally getting retired by Microsoft. That means the company will no longer issue Service Packs, security patches or bug fixes for the operating system.

What’s more, many third party software developers will discontinue support for their applications on Windows XP after Microsoft’s deadline.

What’s at stake:

Smooth operation of desktop computers, throughout an enterprise.

This could all cause big headaches for enterprises still running the OS.

Here are some key points about Microsoft’s transition plan:

Windows XP Extended Support ends April 8, 2014. Microsoft offers three levels of support during the life of a product. Mainstream Support runs for the first five years, during which the software maker is responsible for fixing any problems. Extended Support typically lasts another five years, during which support is limited to security patches. The only option after Extended Support is pricey Custom Support. Microsoft ended Extended Support for 32-bit Windows XP with Service Pack 2 in 2010. It is providing Extended Support for 64-bit
Windows XP with Service Pack 2, and 32- and 64-bit Windows XP with Service Pack 3, until April 2014.

App support may also end. It’s not just Windows XP that’s losing support. Many independent software developers have said that their new products will not be supported on systems running XP. And Microsoft itself has said that its Office 2013 suite, which includes new versions of Word, PowerPoint, Excel and other apps, is not XP-compatible. Additionally, many hardware makers are discontinuing production of Windows XP drivers for their devices.

Office 2003: Along with Windows XP, Microsoft will also end support for Office 2003 on April 8. Organizations still running Office 2003 will most likely want to upgrade to Office 2010 or Office 2013, which offers desktop and cloud-based productivity apps. Office 2013 also is touch-friendly and geared for use with Windows 8 tablets.

No matter how comfortable organizations are with their Windows XP systems, attempting to stay on the platform isn’t worth the downsides, according to analysts. “Understand the risks that lack of support for these products will bring to your organization,” said Gartner, in a recent report.

]]>The top 5 ways to avoid getting hacked while visiting Russia (or anywhere, for that matter)https://www.corp-infotech.com/the-top-5-ways-to-avoid-getting-hacked-while-visiting-russia-or-anywhere-for-that-matter/
Sat, 08 Feb 2014 19:24:59 +0000https://www.corp-infotech.com/?p=4248Yesterday (Feb 5 2014) NBC News ran a story claiming that if you bring your mobile phone or laptop to the Sochi Olympics, it’ll immediately be hacked the moment you turn it on. The story was fabricated. After further examination we found that the technical details of the hack didn’t make sense. Really, the exploit…

]]>Yesterday (Feb 5 2014) NBC News ran a story claiming that if you bring your mobile phone or laptop to the Sochi Olympics, it’ll immediately be hacked the moment you turn it on. The story was fabricated. After further examination we found that the technical details of the hack didn’t make sense. Really, the exploit (and story) relate to going to the Olympics in cyberspace (visiting websites), not going to there in person and using their local Internet connections.

A few relevant points:

The story shows Richard Engel “getting hacked” while in a cafe in Russia. It is wrong and was misrepresented if not altogether misreported:

1. They aren’t in Sochi, but in Moscow, 1007 miles away.
2. The “hack” happens because of the websites they visit (Olympic themed websites), not their physical location. The results would’ve been the same in America.
3. The phone didn’t “get” hacked; Richard Engel initiated the download of a hostile Android app onto his phone.

So, on the eve of the opening ceremonies of the 2014 Winter Olympics we leave you with some salient guidance on how to not get hacked while traveling;

1. Don’t click on stuff if you don’t know where it came from.
2. Before you leave, patch your operating system and applications (browser, Flash, PDF)
3. get rid of the really bad stuff (old Java, unpatched applications, most Adobe browser-integrated products)
4. don’t click on stuff (see #1)
5. oh, and if you really are in Sochi (or anywhere that you don’t control the network), use VPN over the public networks – including WiFi.
6. Encrypt your local hard disk (or solid state) disk drive.
7. Don’t leave your computer unattended. Ever.
8. Don’t leave your computer logged in with your user account. (See #7)
9. Ensure your Antivirus, Antimalware, and Anti-rootkit software is up-to-date and running. If you don’t have or know what these software are, contact your favorite IT company and ask for help.
10. Ensure your personal operating system firewall is running and properly configured.

We of course can help you with any of these. We can even help you create a formal and verifiable endpoint computer security system. If you need help with any of this, please give us a call, email, or tweet!

Special thanks goes to the technical consultant quoted in the NBC article, Kyle Wilhoit for providing specifics to us on the technical details of this ‘hack’.

]]>Dropbox: Taming the Wild Westhttps://www.corp-infotech.com/dropbox-taming-the-wild-west/
Sat, 08 Feb 2014 18:43:01 +0000https://www.corp-infotech.com/?p=4233A modern-day Wild West can be found in the slapdash enterprise use of cloud-based file storage and sharing. But new security technologies puts user-managed security atop those platforms without burdening the IT department with lots of administrative overhead. “Transparent layers of encryption with enterprise-owned and managed private keys can now be implemented on top of…

]]>A modern-day Wild West can be found in the slapdash enterprise use of cloud-based file storage and sharing. But new security technologies puts user-managed security atop those platforms without burdening the IT department with lots of administrative overhead.

“Transparent layers of encryption with enterprise-owned and managed private keys can now be implemented on top of Dropbox’s intuitive file sharing and transport technologies” says Lawrence Cruciana, CIT’s CTO.

“We are now able to safely and securely utilize what was the wild west to reliably and securely transport enterprise data to multiple endpoints”, Cruciana added.

We can now even control levels of encryption and distribution by file or folder. This is a huge advance in terms of enterprise adoption of Dropbox and similar services. We will soon be able to integrate this into Box, Google Drive and Microsoft OneDrive (formerly SkyDrive).

If you want to learn more about this exciting technology, let us know!